An insider look at the SEC’s cyber exam
Advisors have no excuse for not taking cybersecurity seriously. They’ve heard about the risks — the potential losses to their reputations and their bottom lines. At the same time, the SEC has publicly detailed its focus areas, such as risk assessment, data loss prevention, vendor management and incident response. What has been less obvious, however, is how examiners evaluate firms to determine whether they pass the test.
Several of the cybersecurity requests made of an independent advisor recently in a SEC exam may not be exactly what practitioners had in mind. But with an inside look at the regulator's questions, RIA owners can begin to institute and document the protocols needed to prepare and protect themselves and their clients — not only for a regulatory exam, but for a potential cyber breach as well.
Sample Request 1: Show the policies and procedures that address the protection of customer/client/user records and information. This includes policies and procedures that are designed to:
- Secure customer/client/user documents and information.
- Protect against anticipated threats to customer/client/user information.
- Protect against unauthorized access to customer/client/user accounts or information.
Sample Request 2: Produce a copy of the policies, procedures and standards that are designed to ensure that unauthorized persons do not access the advisor’s network resources and devices, or to those polices, procedures and standards that restrict access according to job functions. This could include, for example, the access control policy, acceptable use policy, administrative management of systems policy or the corporate information security policy. Additionally, provide a copy of the last internal audit that covered access rights and controls.
This first request should underscore the need for a thoughtful and detailed cybersecurity policy. Everything asked for in this request, and more, should be covered in that policy. The policy should also spell out how each of these items are monitored and enforced.
As the second request makes plain, simply having a cybersecurity policy on paper is not enough: Cybersecurity preparedness and active monitoring must be a documented part of the RIA’s daily operations. The areas that should be covered include: data and applications inventory and risk assessment, access controls, identity protection and data loss prevention.
Sample Request 3: Produce a copy of the RIA’s policies, procedures and standards related to login attempts, failures, lockouts and unlocks or resets for each perimeter-facing system. Indicate how these policies are enforced and monitored.
These logs should detail how the RIA is enforcing protocols around user access and access controls, including conditional access controls, as well as the firm’s account lockout and password policies. They could include verifications sent regarding password changes, and password vault reporting for business applications. In addition, RIAs need to show the controls in place for accessing fintech applications, including Software as a Service (SaaS) and on-premises software, and for vendors/IT support.
Sample Request 4: Provide a list of all cyber incidents, which should include the amount of actual client losses associated with each one, and the amount reimbursed by the RIA.
Firms need to produce detailed logs of suspicious access activity, making sure to track things like account lockouts and login attempts from abnormal locations. Even attempts that might indicate a minimum level threat or breach, such as phishing attacks, should be documented.
The examiners want to know that the firm tracks such attempted or thwarted events, because they know that every firm has them almost daily.
Attempted logins, mitigated viruses and malware reports are an even greater threat and should be tracked and recorded accordingly. Finally, actual fraud or a ransomware event would constitute a major breach, and the subsequent actions should be well documented.
Sample Request 5: Show a copy of the policies, procedures and standards related to verification of the authenticity of a customer/client request to transfer funds externally. If no such written policies, procedures, or standards exist, describe the process followed to verify the authenticity of fund transfer requests and list the individuals and/or departments involved in the approval process.
RIAs should remember that custodians are increasingly unwilling to cover RIA missteps around fund transfers, so firms no longer have the implicit safety net that may have once existed. Depending on the type of breach and the size of the firm, RIAs can spend more than $100,000 out of pocket to manage the fallout from a breach, which could include credit monitoring, legal, compliance and notification expenses.
These are just a handful of the requests that regulators will make. It is more common to see upwards of a dozen or more questions related to cybersecurity in these exams. Other questions might cover policies, protocols and oversight of third-party vendors, data loss prevention policies, or the firm’s usage of multifactor authentication.
No topic is off limits, and the level of detail requested may catch some firm owners off guard.